[Bug 1230118] New: [SELinux] Select SELinux as default MAC in enforcing mode in the tumbleweed installer
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Bug ID: 1230118 Summary: [SELinux] Select SELinux as default MAC in enforcing mode in the tumbleweed installer Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: cathy.hu@suse.com Reporter: cathy.hu@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- just pasting the email to factory as reference: RFC: SELinux as default MAC system on new Tumbleweed installations SELinux is being adopted more and more as the main Mandatory Access Control (MAC) system in openSUSE distributions and SUSE products. The SUSE SELinux working group would like to announce the plan to switch new Tumbleweed installations to SELinux as default MAC system *by the end of this year*. Currently, new Tumbleweed installations select AppArmor in the installer as default MAC system. After this change, new Tumbleweed installations will select SELinux in enforcing mode as default MAC system. Users will still be able to select AppArmor as MAC system in the installer. Existing installations will *not* be affected. If you would like to migrate your existing system from AppArmor to SELinux, we have a guide on what to consider and how to do that here [0]. *What does it mean for users?* Our SELinux policy contains many policy modules, which confine most well-known services. Switching to SELinux means more services are confined by default, which means enhanced security. On the other hand, more confinement also means that in the early phase of the adoption there could be more bugs caused by SELinux denying legitimate accesses. We perform both manual and automated tests via openQA, to ensure that our policy works seamlessly. We also rely on you, the community, to create bugreports so that we can adapt the policy to any scenarios that we did not foresee. We have a page on how to report bugs here: https://en.opensuse.org/openSUSE:Bugreport_SELinux To learn more about SELinux, we also have a Portal in the openSUSE wiki: https://en.opensuse.org/Portal:SELinux Please feel free to reply to this email in case you have any questions or concerns. We plan to do the change earliest in September 2024, and latest by the end of the year. Separate announcements will follow just before and after the change. TL;DR: - The Tumbleweed installer will select SELinux in enforcing mode as default on new installations - When: by the end of 2024, earliest in September, we will do separate announcements before and after - AppArmor can still be selected in the installer as an alternative - Existing installations will *not* change - Leap 15.x is not affected in any way [0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dleuenberger@suse.com, | |filippo.bonazzi@suse.com, | |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 https://bugzilla.suse.com/show_bug.cgi?id=1230118#c1 --- Comment #1 from Cathy Hu <cathy.hu@suse.com> --- https://github.com/yast/skelcd-control-openSUSE/pull/287 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231473 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231477 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231479 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231482 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231483 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231485 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231489 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231491 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231492 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231493 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231510 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231511 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231512 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231513 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1231514 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 Ana Guerrero <ana.guerrero@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ana.guerrero@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230118 https://bugzilla.suse.com/show_bug.cgi?id=1230118#c5 Joe S <jmscdba@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmscdba@gmail.com --- Comment #5 from Joe S <jmscdba@gmail.com> --- Hi Cathy, I tested out your instructions for switching an EXISTING Tumbleweed installation from apparmor to selinux. Overall, everything worked perfectly, however I did find something that you might want to update in your instructions. After following all your instructions I ran "selinux-ready" and it had 2 errors: check_packages: ERR. Package 'restorecond' not installed, please run 'zypper in restorecond' as root check_runlevel: ERR. please enable restorecond with systemctl enable restorecond.service. After installing restorecond and enabling the restorecond.service, seliunix-ready now reports everything is OK. Hope that helps! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com